How Consumers, Enterprises and Insurance Providers Tackle Cyber Risk
The number of instances of hacks, data breaches, system compromises, ransomware and cyber fraud keeps ballooning and shows no indication of stopping.
As the number of instances of hacks, data breaches, system compromises, ransomware, and cyber fraud keeps ballooning and shows no indication of stopping, the insurance industry is striving to keep pace by offering products that will meet the demand for cyber insurance.
The consumer perspective
In many ways, private individuals can have a much easier time deciding to get cybersecurity insurance than businesses.
For one, many have already personally experienced inconveniences, or have seen someone close to them having problems due to comprised personal data. According to the 2017 Identity Fraud Study from Javelin Strategy & Research, there were over 15 million incidents of identity theft in the US in 2016—and that was before the Equifax breach, which resulted in the compromise of names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of some 143 million US individuals, i.e. 44% of US consumers!
Martin Hartley, Chief Operating Officer, PURE Group of Insurance Companies, predicts that with the increase of fraud, cyber extortion and ransomware attacks, cybersecurity insurance will become a much more standard part of homeowners’ policies in the coming years, as consumers find themselves liable for resulting costs.
"The risk of consumers’ exposure will continue to increase and similarly, consumers can no longer solely rely on financial institutions, retailers and credit card companies to protect their customers’ data," he says.
But the lack of consumer education in the category leads to confusion about exposure to and coverage for things like online and offline fraud (identity theft, forged checks, etc.), cyber extortion (extortion payments, crisis management) and system attacks (data restoration, system cleanup).
"For private individuals, there is a lack of understanding of the loss that he or she might suffer as a result of a cybercrime, and therefore a misconception of what cyber insurance is needed for. While an individual may be embarrassed by having private photos or data made public, or lose photos and other records to cybercrime, the greatest financial risk is that cyber criminals steal money from the individual’s bank, investment or retirement accounts—and that loss is not compensated by the institution," Hartley points out.
And, as cybercrime continues to evolve and become more complex, the nuances in policy coverage will continue to be incredibly important—both for consumers/businesses and insurance providers.
Hartley expects that, over time, cyber insurance offers will be tied more closely to risk management protocols.
"For example, today we will offer $1 million of fraud and cybercrime coverage only to individuals who subscribe to an active cyber monitoring service, such as Rubica, on their personal networks and devices. Rubica’s solution actively monitors an individual’s devices to block malicious items like malware and phishing attacks, investigate suspicious activity, and warn users of unsafe behaviors, like entering a password on an insecure website," he explained.
He also expects that, as consumers opt to add cybersecurity coverage to their overall insurance programs, insurance companies will begin to collect additional data to deliver more tailored products, from customized offerings to pricing that reflects the risk of each individual.
His advice to consumers thinking about whether or not to opt for cybersecurity coverage is to step back and do a holistic assessment of their lives in order to create a comprehensive risk profile.
"The number of connected devices your family has, use of public Wi-Fi, the number of bank accounts that could become comprised, the presence of children, how many third-parties (asset managers, assistants, attorneys, etc.) who help to manage your homes or financial accounts—these are all things that should be considered when assessing vulnerability. With that assessment, a person can make an informed choice about what offerings are appropriate for their particular risk profile."
Cyber insurance is essential for modern businesses
Jerry Caponera, VP of Cyber Risk Strategy at Nehemiah Security, believes that all companies should have cyber insurance but not view it as a crutch or consider themselves "secure" just because they have it.
"Cyber insurance can be a key part of your cyber risk strategy but it isn’t the strategy. In perception / government regulators do to the company. Some of the people working at Equifax will lose their jobs and could struggle to find the next one. And, finally, what about the people whose identify was stolen? No amount of cyber insurance will remove the hassle or financial loss they could incur. So no, I don’t think it’s smart to lead with insurance as your strategy."
For businesses looking at investing in cyber insurance, the main challenge is knowing where to start.
According to Caponera, the enterprises' assessment and decision process should start with understanding all the business applications they have, the data (or digital assets) involved, and how an attack can get at those environments. To do this requires bringing together the business, IT and security teams to collaborate in a way that not all do today.
Next, they need to understand the details of the cyber policy they’re reviewing: what’s covered as well as what's excluded.
"There are a number of incidents currently in court where the insurance provider is either suing the enterprise to recover some money paid or refusing to pay. The basis for these suits range from the enterprise not having 'adequate' security measures in place to the insurance company claiming that a social engineering attack, in which an organization wired funds to a hacker unknowingly, isn’t covered because the transfer wasn’t faked," Caponera points out.
"Most cyber insurance policies cover the cost for forensic analysis of the attack. That’s where issues like 'inadequate' security and social engineering attacks come to light. The key for enterprises is to understand the details of the insurance contract they signed—preferably before they sign it—so that they can reduce the chance of not getting paid out."
And, lastly, they need to make sure they continually evaluate their policy every few months.
"Your risks will change as your business changes, and the policy you have should adapt accordingly. Bottom line—just because you have a cyber policy in place doesn’t mean your insurance needs are covered for good," he adds.
Insurers: The challenge with cyber
According to the National Association of Insurance Commissioners (NAIC), cyber risk remains difficult for insurance underwriters to quantify due in large part to a lack of actuarial data.
"Insurance policies are typically priced (or quantified) by comparing the company’s application to past related losses," Caponera explains. "The challenge with cyber is that while two cyber attacks might be the same on the surface—i.e. they both use ransomware—the environments could be very different, thus making the comparisons meaningless."
Insurers compensate the lack of that type of information by relying on qualitative assessments of an applicant’s risk management procedures and risk culture. "As a result, policies for cyber risk are more customized than other risk insurers taken on, and, therefore, more costly," NAIC notes.
The customization also hinges on things like type, size and scope of the business operation, the number of customers, the business' presence on the Web, the type of data collected and stored, and many other factors.
Caponera, who a few years ago started a company (PivotPoint Risk Analytics) that was focused on quantifying cyber risk in dollars and cents, says that, in general, insurance folks are very smart about insurance but lack critical knowledge about cyber security.
As he's now back in the cyber risk quantification space, his goal is to work with insurance professionals and offer a "cyber perspective" so that they can truly understand the potential losses.
"There are no actuarial tables for cyber risk—it’s a moving target. So if you’re not looking at the asymmetrical nature of how a hacker behaves, you’ll never understand the risk correctly to underwrite the correct risk. And, when attacks grow in size and scale (and when claims aren’t paid out because the lawyers write good contracts for the insurance industry), we’re going to be facing a 'cyber insurance bubble'," he says.
"Given an explosive interest for cybersecurity insurance, fuelled greatly by expanding regulation and data protection laws such as the GDPR, brokers tend to get increasingly shorter timelines for presenting quotes, often within a single day," said Dubravko Stašek, Insurance Broker at InterOmnia d.o.o.
"Businesses need to understand that the intricacies of a tailored cybersecurity insurance policy require a deeper exploration of the organization's overall security posture, as well their expectations when it comes to coverage."
Caponera hopes that breaches like Merck and Equifax, where the financial losses are high, are the beginning of the change needed in the insurance industry.
"The ideal situation would be an environment where an enterprise quantifies their cyber risk in dollars and creates a plan to buy down that risk. They get a policy that reflects their projected exposure but also takes into account the mitigations they are putting in place," he says, and notes that the insurance industry could provide a discount for implementing the mitigations, thus sharing the "risk reduction” they have for the reduced chance for a payout.
"I think over the next 12-24 months you’ll start to see this shift as the market demands solutions that can quantify risk in an automated manner, using real world data to help mitigate risks," he opined.
Traditional insurance companies will definitely have to innovate in order to remain competitive as technological change keeps its dizzying pace.
According to a recent PwC report, that often means looking outside the industry—typically in the InsurTech space (e.g., drones, sensors, IoT)—for the best ways to improve their systems, processes, and products.
Global consulting outfit Accenture also recently noted that the insurance industry views AI and the IoT as critical to delivering increased levels of personalization and better real-world outcomes for customers.
"Artificial intelligence has the potential to transform the insurance industry from simply assessing risk based on past experience to monitoring risks in real-time and mitigating, or even preventing, losses for customers."
To learn more about PURE Starling™ Fraud and Cyber Fraud Coverage, click here.